← Back to Insights

    EU AI Act for Small and Medium Businesses: What You Actually Have to Do (2026)

    By Mikkel Solnado·

    EU AI Act for Small and Medium Businesses: What You Actually Have to Do (2026)

    The EU AI Act is now binding. Most compliance content is written by lawyers for enterprises. This is the practical version for a 5 to 50-person European business, written by someone who builds AI systems for a living, not someone who litigates them. Not legal advice.

    If you run a small or medium business in Europe and you've started using AI tools - a chatbot, an AI hiring filter, ChatGPT for content, automation that talks to customers - you've probably wondered if the EU AI Act applies to you. The honest answer: yes, it does, and probably less than you fear, but more than zero.

    Most legal blogs on this topic are 4,000 words and end with "consult a lawyer". This piece skips the hedging and gives you the operational version - what your obligations actually are, where the real risks are, and what to do this month.

    TL;DR

    For most European SMBs in 2026, the EU AI Act compliance work fits in one afternoon plus a few hours of ongoing effort each quarter. The summary:

    Risk tierWhat it means for youAction
    Minimal riskSpam filters, basic productivity AI, internal toolsNo specific obligations
    Limited riskChatbots, AI content, deepfakesDisclose to users that AI is involved
    High riskHiring AI, credit decisions, employee monitoringReal compliance work - documentation, oversight, logs
    UnacceptableSocial scoring, manipulative AIBanned. Don't use.

    Most SMBs land in minimal or limited risk. The trap is hiring/HR AI tools - those are usually high risk even if you bought a SaaS product to do it. Read on for specifics.

    What the EU AI Act actually is

    The EU AI Act is the world's first comprehensive AI regulation. It entered into force in August 2024. The key dates that matter:

    • February 2025: Prohibited AI practices (social scoring, manipulative AI, untargeted facial recognition) became illegal. Also: every organisation deploying AI must ensure staff have "AI literacy".
    • August 2025: Rules for general-purpose AI providers (like OpenAI, Anthropic) kicked in.
    • August 2026: Most high-risk AI system obligations apply. This is the big one for many SMBs.
    • August 2027: Remaining transition deadlines for embedded high-risk systems.

    The Act uses a risk-based approach. The higher the risk an AI system poses to people's rights, the heavier the obligations. Banks doing credit decisions get heavy rules. Spam filters get nothing.

    Provider vs Deployer - which one are you?

    This distinction matters more than most articles explain. The Act treats two roles differently:

    • Provider: You build or sell an AI system. Heavy obligations.
    • Deployer: You use someone else's AI system in your business. Lighter obligations.

    99% of European SMBs are deployers. You're buying SaaS tools that have AI inside them, or you're using ChatGPT, Claude, Gemini, or similar to run parts of your business. You're not building the underlying model.

    This means the heavy lifting on technical documentation, conformity assessment, and model registration is on the providers (your vendors). Your job is to use these tools responsibly, document what you're doing, and disclose AI involvement where required.

    There is one exception: if you fine-tune a model significantly or substantially modify its purpose, you might cross into provider territory. For most SMBs, this means: don't fine-tune large models yourself unless you really know what you're doing.

    The 4 risk tiers, explained without jargon

    Unacceptable risk - banned

    These AI uses are illegal everywhere in the EU as of February 2025:

    • Social scoring by public authorities (think Black Mirror, not credit ratings)
    • Subliminal manipulation that causes harm
    • Exploiting vulnerabilities of children, disabled people, or people in vulnerable circumstances
    • Untargeted facial recognition scraping from the internet
    • Real-time biometric identification in public spaces (with narrow exceptions for serious crime)
    • Emotion recognition in workplaces and schools (with narrow exceptions)

    If your business does any of this, you have bigger problems than the AI Act. Most SMBs don't go near this category.

    High risk - the category to watch for

    This is where most SMB owners get caught off guard. High-risk AI systems include:

    • Hiring and recruiting tools (resume screening, candidate ranking)
    • Employee performance monitoring and management
    • Access to essential services (credit decisions, insurance pricing)
    • Access to education and vocational training
    • Critical infrastructure
    • Law enforcement and migration tools
    • Justice and democratic processes

    If you're using an AI tool to screen CVs, decide who gets a customer service callback first, or evaluate employees, you're deploying a high-risk system. Obligations include:

    • Document the system, its purpose, and how decisions are made
    • Ensure meaningful human oversight (a person can override the AI)
    • Keep activity logs
    • Inform people affected by AI decisions
    • Have someone in your organisation responsible for monitoring it

    The provider of the tool handles most technical conformity. Your job as a deployer is operational: documentation, oversight, transparency to affected people.

    Limited risk - transparency obligations

    This is where most customer-facing SMB AI sits:

    • Chatbots (must disclose users are talking to AI)
    • AI-generated content (must be labeled where it's not obvious)
    • Deepfakes (labeled)
    • Emotion recognition outside high-risk contexts (subject's awareness required)

    The compliance is straightforward: tell people. If you have a chatbot, say "Hi, I'm an AI assistant". If you use AI to generate marketing images, label them. Done.

    Minimal risk - no obligations

    Most AI uses in business sit here:

    • Spam filters
    • AI-enabled productivity tools (Copilot, Notion AI, ChatGPT for internal use)
    • AI in video games
    • AI-powered search inside your own data
    • Recommendation engines that don't make consequential decisions

    No specific AI Act obligations apply. You still have other rules (GDPR for personal data, consumer protection, etc.) but the AI Act itself isn't your concern here.

    How common SMB AI uses map to risk tiers

    Here's what I see most often in client engagements. Your situation may vary, but this gives you the lens.

    Common SMB AI useRisk tierWhy
    Customer service chatbot on your websiteLimitedMust disclose it's AI
    AI tool that ranks CVs for hiringHighEmployment-related decisions are high risk
    Internal Copilot/ChatGPT for staff productivityMinimalInternal use, no decisions about others
    AI-generated blog posts and social mediaLimitedTransparency where not obvious
    AI lead qualification (scoring inbound leads)Minimal or LimitedDepends - if the AI rejects leads from "essential service" categories, it could be higher
    AI booking confirmations and pre-arrival messagesMinimalOperational automation, no consequential decisions
    AI tool for performance reviewsHighEmployee management is high risk
    AI in your finance/invoicing automationMinimalProcess automation, not decision making
    AI for predicting customer churn (then offering retention)MinimalNot making decisions that restrict access
    Voice AI agent answering phone callsLimitedMust disclose AI to caller

    The pattern: anything that makes a decision about people's access to opportunity, employment, services, or rights tends to be high risk. Anything that's pure operational automation tends to be minimal.

    The 7-step practical compliance plan

    For a typical European SMB, this is what you should actually do this quarter:

    Step 1: Inventory your AI

    List every AI tool your business uses, including:

    • Standalone AI products (chatbots, content tools, scheduling AI)
    • AI features embedded in SaaS tools you already pay for (CRM with AI scoring, email with AI suggestions, etc.)
    • Internal scripts or workflows that use AI APIs

    Include the vendor, what it does, who uses it, and what data it sees. A spreadsheet is fine.

    Step 2: Classify each one

    Apply the risk tier framework above to each AI system. Be honest. The temptation is to under-classify - resist it. If you're not sure whether something is high or limited risk, lean high. Costs are usually low to add a human oversight step; costs are higher if you're caught.

    Step 3: Handle the transparency obligations

    For everything in the limited risk tier:

    • Chatbots: add a disclosure ("Hi, I'm an AI assistant - I'll connect you to a human if you'd like")
    • AI-generated content: label it where it isn't obvious
    • Voice AI agents: opening line must mention it's an AI

    This is the cheapest and fastest part. Usually a 30-minute fix per system.

    Step 4: Operationalize human oversight for high-risk systems

    For anything in the high risk tier:

    • Designate a person responsible for monitoring the system
    • Define when and how a human can override the AI
    • Ensure that override is actually used in practice (not a checkbox)
    • Document the process

    If you use AI to screen CVs, this means: a human reviews any candidate rejected by AI before they're permanently rejected. The AI flags, the human decides.

    Step 5: Document who saw what

    For high-risk systems specifically, keep logs of:

    • When the system was used
    • What decisions it influenced
    • When a human override happened and why

    Most modern SaaS tools log this for you - just make sure logging is enabled and you can produce records if asked.

    Step 6: AI literacy for the team

    The AI Act requires that staff using AI have AI literacy. There's no certification - you need to be able to show you've made reasonable effort.

    For most SMBs this means: one annual session, 1-2 hours, where the team learns what AI is, what it gets wrong, when to trust it, when to escalate to a human, and the basics of GDPR + AI Act as it applies to them.

    This is also a great workshop topic, if you want to outsource it. Done well, it makes your team better at using AI day to day, not just compliant.

    Step 7: Vendor due diligence

    For each AI tool you use, ask the vendor:

    • What's the risk classification under the AI Act?
    • Are they registered as a provider where required?
    • Where is the data processed (GDPR overlap)?
    • How do they handle EU customers' data?

    If a vendor can't answer these clearly, that's a flag. Doesn't mean you stop using them, but it's information you should have.

    What about fines?

    Penalties under the AI Act are real but tiered. The maximums:

    • Up to €35 million or 7% of worldwide annual turnover for prohibited AI practices
    • Up to €15 million or 3% for most other violations
    • Up to €7.5 million or 1% for providing incorrect information to authorities

    For SMBs, these caps are not the ones to fear - the percentage calculations are what matter, and they're meant to be proportionate. But "proportionate" can still mean tens of thousands of euros, and the reputational risk of being publicly cited for an AI compliance failure is worse than the fine.

    Realistic exposure for an SMB doing basic compliance reasonably: low. Realistic exposure for an SMB using AI for hiring with zero oversight or documentation: meaningful.

    When to call in help

    The compliance work above is doable in-house for most SMBs. Reach out to a specialist when:

    • You're using high-risk AI (especially hiring or employee management AI) and don't know how to set up human oversight
    • You're building or significantly modifying an AI system yourself - that's the provider category and the obligations are heavier
    • You operate in a regulated sector (finance, healthcare, education) where AI Act overlaps with sector-specific rules
    • You're being audited or have received a query from a regulator
    • A vendor refuses to answer due diligence questions and you're not sure if that's a deal-breaker

    For everything else, it's a documentation exercise more than a legal one.

    Frequently asked questions

    Does the EU AI Act apply to small businesses?

    Yes. The Act applies to any organisation that develops or deploys AI systems with effects in the EU, regardless of size. There are some lighter obligations for SMEs in specific areas, but the basic compliance applies to everyone.

    Do I need a lawyer to comply with the EU AI Act?

    For most SMBs, no. The work is operational - documenting what AI you use, classifying it by risk, adding transparency where needed, and setting up human oversight for any high-risk systems. A consultant who understands AI and EU rules can usually walk you through this faster and cheaper than a lawyer.

    What's the deadline for AI Act compliance?

    It depends on the AI system type. AI literacy and prohibitions on dangerous AI took effect February 2025. High-risk system obligations apply from August 2026. Some embedded systems have until August 2027. Most SMBs should aim to be in good shape by mid-2026.

    Is using ChatGPT in my business a problem under the AI Act?

    Using ChatGPT (or Claude, Gemini, etc.) for general productivity tasks - drafting emails, summarising documents, brainstorming - is minimal risk. The picture changes if you use it to make decisions about people (hiring, credit, services). Then the AI Act framework kicks in regardless of which tool you use.

    Do I need to label AI-generated content on my website?

    Yes, where it isn't obvious. Marketing copy that reads as if from a human should be labeled. AI-generated images of people that could be mistaken for real should be labeled. Internal AI-assisted writing - emails, reports - doesn't need labels.

    Who is responsible for compliance - me or my SaaS vendors?

    Both, with split obligations. Vendors (Providers) handle the technical and conformity assessment work for the AI inside their product. You (Deployer) handle operational obligations: documenting that you use it, ensuring human oversight where required, telling end users when AI is involved. Vendors can't outsource their obligations to you, but you can't outsource yours to them either.

    Bottom line

    For a European SMB in 2026, the EU AI Act is a chore, not a crisis. The work is roughly:

    1. One afternoon to inventory and classify your AI systems
    2. A few hours per high-risk system to set up oversight + documentation
    3. One team session per year on AI literacy
    4. A periodic check-in as your AI usage evolves

    That's it. Less than most owners fear when they first read the headlines. The trap is hiring AI - if you're using it to filter candidates, that's where real compliance work lives. Get that one right and most of your AI Act exposure is solved.

    If you want help running through this for your business, that's a typical 1:1 consultancy session - usually 2 to 3 hours covers a small business's full AI inventory plus operational compliance setup.

    Book a 1:1 consultancy session →

    Mikkel Solnado is the founder of The AI Solopreneur. Danish, based in Portugal. He helps European small and medium businesses adopt AI through 1:1 consultancy, custom AI builds, and team workshops. This article is practical guidance, not legal advice. For regulated sectors or active investigations, consult a qualified EU AI Act lawyer.

    Book a 1:1 consultancy session

    © 2026 The AI Solopreneur. All rights reserved.